Portal configuration services

1. Configuration Service
2. Deployment Service
3. Data Store Service
4. Loader Service
5. Localizer Service
6. Navigator Service
7. Registry Service
8. Portlet Container Service
9. Pipe Pool Service
10. Content Access Service
11. HTTP client service
12. Cache Manager Service
13. State Manager Service
14. Administrator Unique Names Mapping Service
15. Portal Security Services
16. Access Control Data Management Service
17. Authentication Service
18. Credential Vault Service
19. External Access Control Service
20. Auditing Service
21. Puma Store and Validation services
22. Puma Store Service
23. Puma Validation Service
24. xmlaccess.sh

Configuration Service

The Configuration Service is responsible for collecting the most essential configuration data of the portal engine. Many of these parameters are set by the installation procedure. Therefore, plan well ahead and apply special care when modifying these parameters.

The Configuration Service also holds the configuration properties for WSRP services.

was.home = (${WAS_INSTALL_ROOT})

Absolute path to the install directory of WAS.

wps.home = (${WPS_INSTALL_ROOT})

Home (or install) directory of the WebSphere Portal.

command.sessionvalidatar = (SessionValidaterAuth)

The name of the command that serves as the session validatar command.

command.login = (LoginUserAuth)

Login command

command.logout = (LogoutUserAuth)

Logout command

redirect.login = (true)

Turn on user-defined redirection after successful login. If a URL has been specified under redirect.login.url that URL is used as the URL for the redirection. If no URL is specified, the portal determines the default page for the current user and sends a redirect to that page in the protected portal area.

redirect.login.ssl = (false)

Turn on SSL in the system-defined redirection after successful login. If no URL is specified, the redirect URL uses HTTPS.

redirect.login.url [optional] = <none>

URL for redirection after successful login. If no URL is specified, the portal determines the default page for the current user and sends a redirect to that page in the protected portal area. This setting does not affect implicit logins, such as single sign-on with LTPA token or through an external security manager.

redirect.login.authenticated.url [optional] = <none>

URL for redirection after the first access to a protected page when the user has already been authenticated by an external security manager (TAI) and a portal session does not exist yet. If no URL is specified, the portal either displays the protected page that was originally requested, or, if session resume is enabled, the last page that the user had accessed in the previous session.

redirect.logout = (false)

Turn on user-defined redirection after successful logout. If a URL has been specified under redirect.logout.urlthat URL is used as the URL for the redirection. If no URL is specified, the portal determines the default page in the public portal area and sends a redirect to that page.

redirect.logout.ssl = (false)

Turn on SSL in system-defined redirection after successful logout. If no URL is specified, the redirect URL uses HTTPS.

redirect.logout.url = <none>

URL for redirection after successful logout. If no URL is specified, the portal determines the default page in the public portal area and sends a redirect to that page.

ldapserviceattributename.attribute [optional] = (uid)

Set whether portal workflow integration uses a dedicated user attribute when identifying individual users on Process Server. Set this property to the user attribute used by Process Server during task authorization. Process Server uses the J2EE principal name for this purpose. By default the J2EE principal name maps to the uid user attribute in most LDAP servers, except for Domino servers. Domino LDAP servers use the cn attribute by default, therefore for such a configuration set the ldapserviceattributename.attribute to the value cn. Optional.

multiple.realms.enabled = false

Allow login with uid@realm.

multiple.realms.login.default.realm = <none>

Allow login with uid@realm.

multiple.realms.user.dn.template = <none>

Allow login with uid@realm.

host.name = <none>

The default is that no value exists for host.name. In this case, portal URLs start with the host name of the incoming request. The host name in URLs be static, you enter a host name here.

For example, in case of a cluster installation we can enter the name of the network traffic dispatcher here. If a host name is entered, this entry is used to create the portal URLs.

host.port.http = <none>

The HTTP port (normally 80).

host.port.https = <none>

The HTTP-SSL port (normally 443).

security.css.protection = (true)

Whether Cross-Site-Scripting security protection is turned on. The default is true for enabling the protection.

redirect.commands = (false)

A portal command is followed with an HTTP redirect. This way URLs can be bookmarked. Using this feature results in a certain performance overhead. Therefore it should only be used if needed.

uri.context.path = (/wps)

The context path under which the portal is running.

uri.context.path.facade = (/wsrp)

The context path for the additional WAR file used as a facade web application for the WSRP implementation. This enables you to use SSL with Client Authentication for WSRP and simultaneously use other means of authentication for the portal, for example form based authentication. This separation is required as J2EE allows only for one authentication mechanism per WAR file.

uri.home.public = (/portal)

The servlet context of the portal engine for public (or anonymous) pages, i. e. pages that users can view without entering a user ID or password.

uri.home.protected = (/myportal)

The servlet context portal engine for protected (or personal) pages. i. e. pages that users can only view by entering a user ID and password.

uri.home.doc = (/doc)

The servlet context of the portal engine for the documentation area.

uri.home.substitution = (false)

Whether a public URL should be translated to a protected URL if a user session exists.

wsrp.resourceproxy.basic.auth.credentialslot = <none>

On a WSRP Consumer portal used to specify a credential vault slot containing the user ID and password credentials. The resource proxy servlet will use the credentials from the credential vault slot when fetching resources that are protected by HTTP basic authentication. The user ID and password will be sent to all remote resources that are referenced in the markup of the remote WSRP portlet.

wsrp.resourceproxy.no.header.forwarding = <none>

On a WSRP Consumer portal used to specify the list of HTTP headers that are not forwarded from the client request in addition to the host header and cookie headers. The host header and cookie headers are never forwarded independent of how this property is set.

persistent.session.level = (0)

Refer to Configure user session persistence. If set to 3, this setting does not affect implicit logins, such as single sign-on with LTPA token or through an external security manager.

persistent.session.option = (0)

Whether the user gets the option to resume the session. If set to 0, the level setting for the property persistent.session.level is applied during login, and the user has no choice whether to resume the previous session or not. If you give users the resume option by setting to 1, set persistent.session.level to 1 or 2. Refer to Configure user session persistence.

timeout.resume.session = (false)

Whether resuming the session after a session timeout requires user authentication. Default is false. If false and the user tries to continue working after a session timeout, the portal shows an error message stating that the session has timed out and the user has to log in again. If true, the portal ignores the session timeout and does not show the error message. The user can resume the previous session without authentication and continue to work. In both cases the previous session is resumed according to the setting of the persisted.session.level property.

session.security.use.errorcode = (true)

Whether the portal performs a redirect or displays an HTTP error, if session security support is enabled for the portal server and the user in the session does not correspond to the authenticated user in the request. Session security support is a hardening feature of WAS. We can activate it for each application server in the WAS admin console under

Web Container Settings | Session Management

If this session security support is active, the application server checks for each authenticated request whether the user who owns the current session matches the user who originated the request.

For example, this can be determined by the LTPA token. The portal service configuration property only specifies how the portal behaves, if it detects a mismatch between the session user and the authenticated user.

If true, the portal returns the HTTP error code defined by the property session.security.errorcode. This typically results in an appropriate error message being displayed.

If false, we can specify a redirect URL using the property session.security.redirecturl.

For example, we can redirect to a specific error page which is then displayed to the user.

By default this property is set to true.

session.security.errorcode = (409)

HTTP error code that is returned if all of the following conditions apply:

1. Session security support is enabled in the WAS.

2. The property session.security.use.errorcode is set to true.

3. A mismatch of the user in the session and the authenticated user is detected.

Specify a valid HTTP error code. The default is error code 409.

session.security.redirecturl = <none>

Redirect URL to which portal redirects if all of the following conditions apply:

1. Session security support is enabled in the WAS.

2. The property session.security.use.errorcode is set to false.

3. A mismatch of the user in the session and the authenticated user is detected.

You must specify a value for this property, if the property session.security.use.errorcode is set to false. This property has no default.

portal.session.protection = (true)

Specify that, for each authenticated portal request, portal checks whether the user in the portal session matches the calling user of the current request. If this results in a mismatch, the portal invalidates the existing session and creates a new one for the calling user to make sure that both identities match. The portal provides this hardening feature, which is independent of the session security support provided by WAS. By default this property is set to true, therefore by default the portal performs this check.

portal.enable.filtering = (true)

Whether the portal should use Portal Filtering or not. The default is true.

portlet.url.find = <none>

URL used for find and set in global settings portlet.

portlets.unauthorized.visible = (false)

Determines what a user sees if they are not authorized to view a portlet.

portletcontainer.std.custom.windowStates = <none>

Define custom window states handled by the portal. Allows portlets to specify custom window states as defined in the Java Portlet Specification 1.0. The portal allows portlets to generate URLs and consequently invoke other portlets with a custom window state if both of the following preconditions apply:

• The invoked portlet specifies a custom window state in its deployment descriptors ( portlet.xml ).

• That window state is registered using this property.

The property value is a comma separated list of custom window states. An example is:

portletcontainer.std.custom.windowStates = winState1, myWinState

allow.derived.titles = (true)

Determines if the title and description of derived pages can be redefined by users. If the value is set to false, titles and description of pages can only be changed on non-derived pages.

wps.mappingurl.portal_url_identifier = (/!ut/p)

Define an identifier for Portal URLs. For the specification of the format of this property refer to the topic about URL mapping.

wps.mappingurl.enabled = (true)

Whether URL Mapping is enabled or not. Possible values are true to enable URL Mapping, or false to disable URL Mapping.

navigation.portletmenu.mode = (0)

Define in which way portlet menus are integrated in the overall portal navigation menu structure. Portlet menus are navigation parts provided by the portlet itself. They can be added as a subtree to the navigation menu item that references the page in which the portlet resides. This parameter has the following three options:

0	Disabled	Portlet Menus are not displayed in the navigation menu at all. Default.
1	Current selection	Only the portlet menus of the portlets that reside on the currently selected page are added under the navigation menu item for that page.
2	Everything	The portlet menus of all portlets on all pages are added under the appropriate navigation menu items in the navigation tree.

navigation.expansion.defaultstate = (false)

Whether the nodes in the navigation tree are expanded or collapsed by default. The default is false, which means that the nodes are collapsed. Some exceptions apply; for example, the Portal Administration navigation tree is expanded by default.

Setting this to true does not affect Web 2.0 themes, as the expansion state is not returned from the portal REST service.

page.reload.interval = (0)

Page reload interval for unauthenticated users. Use it to specify the interval in minutes after which the portal page hierarchy should be reloaded for an unauthenticated user. The reload respects the most current access control settings for that user. If this value is set to zero, no automatic reload occurs during the session.

wsrp.caching.enabled = (true)

Enable or disable WSRP markup caching. The default for this parameter is true. This means that WSRP markup caching is enabled, if no value is specified for this parameter. For more details refer to WSRP Markup Caching.

friendly.enabled = (true)

Determines whether friendly URL names can be set for portal pages in the Manage Pages portlet. Default is true. If true , we can add friendly URLs for portal pages in the Manage Pages portlet. "Friendly" means that we can use a name that is concise and easy to remember to address a specific portal page. To add a friendly URL for a portal page, click the Edit Page Properties icon for the page for which to add a friendly URL. We can then give the portal users that URL, and they can access that page by entering the URL in the Address field of their browser.

When creating a URL Mapping or create or modify a page, make sure that URL Mappings and friendly URLs in the portal do not match, partially overlap, or otherwise interfere with each other.

For example, do not use strings such as home, ibm, ibm.com, and do not use strings that have been used as URL Mappings or friendly URLs in the portal already. Otherwise infinite browser redirect loops might occur, sometimes without an error message. To determine such strings, create an export from the portal using xmlaccess.sh and scan the exported XML result output file for the string to use for the URL Mapping or for the friendly URL.

If set to true , we can use the property...

friendly.redirect.enabled

...to determine whether a redirect should be sent if the incoming URL did not contain the friendly URL prefix of the addressed page.

friendly.redirect.enabled = (true)

Whether or not a redirect should be sent if the incoming URL did not contain the friendly URL prefix of the addressed page. Does not take any effect if friendly URLs have been disabled by setting the property friendly.enabled to false. Valid values for this property are as follows:

true

Set to true if we use an External Security Manager in the portal deployment configured to protect URLs based on their prefixes. Default.of this property.

false

If false , no redirect is sent in the case previously described.

friendly.pathinfo.enabled = (true)

Determines whether friendly URLs can contain path information to a content item as part of the URL Default is true. Support for path information in friendly URLs also requires that the friendly.enabled property be set to true.

friendlyname.uniqueness.enforcement = (true)

Determines whether the portal enforces that new friendly names are unique across existing non-private sibling nodes. The default value is true . The enforcement does not include derived pages with an inherited friendly name and siblings that are moved in by a personalization rule.

portlet.iwidget.markup.prefetching = (true)

Determines whether the markup of portlets on pages in Client-side rendering mode should be loaded together with the markup for the portal page Default is true. Define the default markup prefetching behavior for pages that are configured to use the Client-side rendering mode. The default behavior can be overridden on a per portlet basis by declaring the same property as a portlet init parameter in the deployment descriptors (portlet.xml) of the portlet. To disable portlet markup prefetching by default, set the value of this property to false. In this case the markup of portlets on pages in Client-side rendering mode is fetched using separate HTTP requests.

wcm.pages.enabled = (true)

Whether web content pages are enabled. The default value is true.

wcm.config.seedlist.version = (1.0)

Version of the search seedlist format being used by the portal. Supported values include 1.0 for seedlist format 1.0 and 0.9 for seedlist format 0.9. The default value is 1.0.

wcm.config.seedlist.servletpath = (/seedlist)

Path to the servlet that generates the search seedlistDefault is /seedlist.

This section describes the portlet response headers.

portletcontainer.response.headers.additionallyNotAllowed = <none>

There is a predefined set of response header fields which are not allowed to be used in portlet response fields. In addition to these predefined header fields it is possible to define additional fields, which are then also prohibited to be included into a portlet response header.

Values must be separated by commas, if more than one field is specified.

The following list shows the header fields of the HTTP 1.1 (RFC 2616) specification that are by default not allowed to be set:

6.2 Response Header Fields:

The response-header fields allow the server to pass additional information about the response that cannot be placed in the Status-Line. These header fields give information about the server and about further access to the resource identified by the Request-URI.

• Accept-Ranges (Section 14.5)
• Location (Section 14.30)
• Proxy-Authenticate (Section 14.33)
• Server (Section 14.38)
• Vary (Section 14.44)
• WWW-Authenticate (Section 14.47)

7.1 Entity Header Fields:

Entity-header fields define meta information about the entity-body or, if no body is present, about the resource identified by the request. Some of this meta information is optional; some might be required by portions of this specification.

• Allow (Section 14.7)
• Content-Encoding (Section 14.11)
• Content-Language (Section 14.12)
• Content-Length (Section 14.13)
• Content-Location (Section 14.14)
• Content-MD5 (Section 14.15)
• Content-Range (Section 14.16)
• Content-Type (Section 14.17)
• Expires (Section 14.21)
• Last-Modified (Section 14.29)

4.2 Message Headers:

HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 [9]. Each header field consists of a name followed by a colon ( : ) and the field value. Field names are case-insensitive.

portletcontainer.response.headers.forceAllowed = (none)

Re-enable the usage of the header fields which are by default prohibited header fields. Values must be separated by commas, if more than one field is specified.

portlet.enable.transcoding = (true)

Whether transcoding is enabled.

portlet.automaximize = (false)

If true, the portlet window is maximized when a portlet is set into edit, configure or help mode.

proxy.enable.app.config = (false)

If true, the Ajax proxy ignores all proxy-config.xml files inside portlets.

content.topology.writelock.timeout = milliseconds (default=25000)

Maximum wait time to obtain a writable model before issuing a timeout warning. To add or change the settings, open Resource Environment Providers in the WAS admin console. Restart the portal server after making the changes.

content.topology.writelock.dump = true|false (default=false)

Control if a Java core dump is written in case of a timeout event for debugging. To add or change the settings, open Resource Environment Providers in the WAS admin console. Restart the portal server after making the changes.

com.ibm.wps.filestore.JCRWebdavTreeModelFactory.cacheClearOnRestart = true|false (default=true)

Whether the file cache content is invalidated and fetched again after server startup. Default is true.

actual.SSO.tokenUrl = your_URL_for_SAP_integration (no default)

Optional. Specify a referenced parameter of SAP integration. Change the parameter name according to the chosen reference in the SAP integration page properties. Specify the URL for SAP integration as the value.

proxy.cv.slot.regex = the regular expression with allowed slot IDs

Optional. Define a subset of available slots in the Credential vault to which to limit the access of the AJAX proxy. For details refer to the topic about AJAX proxy authentication.

Deployment Service

The Deployment Service provides services for accessing the configuration parameters required for the portlet deployment.

The portlet deployment component is responsible for the integration of portlets into the portal. It handles the correct deployment of portlet applications and their WAR files into WebSphere Portal and WAS. It uses the WAS management services for the physical deployment and management of WAR files in the WAS. Management of WAR files includes installing, removing, redeploying, starting, and stopping portlet applications.

1. WebSphere Portal v8.0 has the configuration separated into two types:
   • Deployed configuration. Read-only. The deployed configuration is always read from the file portlet.xml.
   • Administrative configuration. Read/Write.

   The deployed configuration can be modified using administrative portlets or xmlaccess.sh. The administrative configuration is never overwritten by changes to the deployed configuration.

2. Portlet applications appear in the Enterprise Application list on the WAS admin console. However, you should never manage them from outside the portal. Instead, manage them using the portal administration portlets or xmlaccess.sh of the portal. You recognize web applications which comprise a portlet application by their administrative name, also called the display name. It is shown in the WAS admin console. We can identify the name of such a portlet application by a portal specific identifier prefix...
   PA_name

   For example...

   PA_WPS_Welcome

   The name in turn is derived from the name of the WAR file when the portlet application is installed. We can change this administrative name with an update of the portlet application.

In the following list of parameters the values given in parentheses are the default values.

was.admin.host = (localhost)

The WAS administrative host name. Used to adapt to the WAS bootstrap host name, if the default is not applicable.

use.admin.user = (true)

Select between two user authentication mechanisms for the portal Portlet dmgr to authenticate with the WAS administrative services when portal security is enabled. Specify one of the following two possible values:

true

Use a single preset shared user ID for all portal administrative users who issue WAR deployment requests. Default. This is a separate user ID that is common for all users who are allowed to perform install or manage applications tasks. You must register this user ID with WAS admin console User Administrator rights.

false

Use the actual user ID by which the administrator issues the WAR deployment request. Every portal user with portlet deployment rights must be added to the WAS admin console User list with administrator rights. Alternatively, we can add the complete group of portal administrators to the WAS admin console Group administrator rights.

was.notification.timeout = (300)

Timeout value (in seconds). It specifies how many seconds the deployment tasks waits for an application server event during the management of WAR files. This value may have to be increased on large portal installations.

portletapp.starting.weight = (100)

Starting weight of the portlet applications (war files). To ensure the correct initialization sequence, this value must be higher than the starting weight of the portal itself.

portletapp.shared.library.list

Library references added to each deployed WAR file during deployment. We can specify multiple references separated by a comma ( , ). The library references must have already been defined in the application server, and the JAR files must have already been deployed at the location assigned in the reference definition.

portletapp.reload.enabled = preserve

Reload property of the deployed WAR file.:

true

Enable reloading mode for all WAR files. Use for portlet development and portlet debugging purposes, but not for production environments.

false

Disable reloading mode for all WAR files. Default.

preserve

When specified, the setting from ibm-web-ext.xmi is applied, if available.

The default setting is false.

Do not enable reloading in a production environment. Enable reloading only for portlet development and portlet debugging purposes.

discard.config.interval = (60)

Minimum time interval for which the configuration service workspace used during WAR file deployment is kept. After this time expires, the workspace is discarded when the portal runs the next deployment task. The unit of measure is minutes. Valid values are listed in the following, together with their meaning:

-1

Never discard the workspace.

0

Always discard the workspace immediately after the action that required the workspace has been completed.

> 0 (numerical value greater than 0)

Time interval (in minutes) for which a workspace is retained before it is discarded. It is then rebuilt for the next deployment task.

1. Use good judgement when setting this property. The proper use of this setting must be a compromise between performance and workspace consumption for the following reasons:

   • Discarding the workspace frequently has a negative impact on deployment performance. The larger the portal installation is, the longer it takes to discard and rebuild the workspace to save the configuration changes during WAR file deployment.

   • However, retaining a workspace keeps the wp_xxx temporary directories in the WAS wstemp directory. Consequently, the temporary space that they occupy in the file system grows every time a WAR file is deployed and every time the portal is restarted.

2. The configuration service workspace is not discarded immediately after expiry of the time interval set. The cleanup is done the next time that a deployment operation is called. It checks for expired changes and discards the workspace that they occupy. If further deployment operations occurred after the last time that the timer interval expired and the workspace was released, the changes in the last allocated workspace remain in the file system even on portal shutdown. Nevertheless, the previous cleanup reduces the volume of occupied disk space to only those temporary file that were processed after the last cleanup interval.

The following values define file locations. All these settings have default values and should only be enabled and modified if the defaults are not appropriate.

delete.temp.files = (true)

Whether temporary file created during deployment in the directory application.repository.dir.name/temp are deleted or kept. The default is true , which means that the files are deleted. Change the value to false only for debugging purposes so that we can view the content of the temporarily expanded WAR files. After completing debugging, change the value back to true and delete the directories manually. If you change the value to false, be aware that the hard drive space required by the temporary directory grows with each WAR file that we add or update.

shorten.deployment.names = (true)

Enforce shorter file names during deployment. Some platforms, such as Windows impose a limit to the length of a file path. This can cause deployment to fail if the resulting path is too long.

deployment.names.limit = (21)

Threshold value for portlet application file and display names. Longer names will be shortened if required.

The following setting is for debug purposes only. Enable it only when instructed to do so by support personnel.

deployment.debug.log.times = (false)

Data Store Service

WebSphere Portal uses a database to store configuration data for pages, clients, markup, and all other resources.

The DataStore Service is responsible for managing the data source of the portal as configured while installing WebSphere Portal. Normally there should not be a need to modify any of the configuration parameters in the DataStore service:

scheduler.cleanup.enabled = (true)

Whether deletion of portal pages is performed later by the scheduled cleanup service, or immediately after the user completes the deletion task. This affects the deletion of portal pages and all their dependent resources, such as components and portlet instances. The default is true, which means that deletion of portal pages is delayed and performed by the cleanup service.

Even if this parameter is set to true and delayed cleanup, deleted pages are no longer visible to users immediately after deletion.

For details about this parameter and how to schedule the cleanup service, refer to Delayed cleanup of deleted portal pages.

datasource.machineid

Equivalent to the MAC address of the server. It consists of a string of 12 hexadecimal figures.

Do not change the value for this parameter.

The following properties are domain specific properties. They are paired. The last three pairs are analog to the first pair. The possible valid values listed under the first property xxx.datasource.dbms of the first pair can also be specified for the first property of the following pairs.

Do not assign the same schema name twice for database domains that reside in the same database instance.

For example, if the release database domain resides in a database named DB1 and uses the schema SCHEMA1, no other domain in the same database instance can use that same schema name SCHEMA1. This restriction applies to domains in the same database instance only. Using the same schema name more than once in different database instances of the same database management system is no problem.

rel.datasource.dbms = your_DBMS

Database management system (DBMS) for the release database domainDefault is DERBY. Valid values are listed in the following table. They are also valid for the property xxx.datasource.dbms properties in the following three property pairs.

DBMS used	DBMS value for xxx.datasource.dbms properties
Apache Derby	DERBY
IBM DB2 Universal Database™ for z/OS	DB2_ZOS
IBM DB2 Universal Database Enterprise Server Edition	DB2
IBM DB2 Universal Database for i	DB2_ISERIES
Oracle Enterprise Edition	ORACLE
Microsoft SQL Server Enterprise Edition	SQLSERVER2005

rel.datasource.schema = ( RELEASE )

Schema used for database objects in the release database domain.

cust.datasource.dbms = your_DBMS

Database management system for the customization database domainDefault is DERBY. For valid values refer to rel.datasource.dbms.

cust.datasource.schema = ( CUSTOMIZATION )

Schema used for database objects in the customization database domain.

comm.datasource.dbms = your_DBMS

Database management system for the community database domainDefault is DERBY. For valid values refer to rel.datasource.dbms.

comm.datasource.schema = ( COMMUNITY )

Schema used for database objects in the community database domain.

jcr.datasource.dbms = your_DBMS

Database management system for the JCR database domainDefault is DERBY. For valid values refer to rel.datasource.dbms.

jcr.datasource.schema = ( JCR )

Schema used for database objects in the JCR database domain.

The following property specifies the database domain tracking daemon setting:

domain.tracker.wait = (1000)

Time for which the domain tracking daemon waits for a response by the database domain until it polls again. The value is specified in milliseconds. Default is 1000 (milliseconds), which is equivalent to 1 second.

This daemon does not poll continuously, but only in case of errors. Therefore increasing this value will not reduce normal database traffic.

Loader Service

The Loader Service is responsible for dynamically loading class files in four categories: commands, and supporting classes for screen templates, skin templates, and theme templates. The service does so by looking up a given (class) name in different packages. Upon loading the respective class file, an instance on that class is returned. To optimize the efficiency, the implementation of the service is free to cache loaded class files or instances and return a cached instance. That means that the implementation of any such classes must be thread safe.

In cases where additional or alternative commands are required, the following configuration properties can be modified:

command.path

The package prefix(es) in which commands are searched.

Localizer Service

The Localizer Service provides access to the configured default locale and the system default locale. It also provides a list of supported bidirectional languages.

Give the system default locale is necessary because Locale.getDefault() is set to the default.

Although the locale is set during installation time, it is possible to change the locale at a later time by modifying the following properties in the LocalizerService:

locale.default.language

The language of the locale, for example, EN or PT.

locale.default.country

The country or region code of the locale, for example, US or BR.

locale.default.variant

The variant code of the locale.

The default language must be supported by WebSphere Portal. If you leave all three parameters without a specified value, the system locale is used as the default locale.

All parameters are case-insensitive. The ISO standard ISO-639 is used for the language codes of most languages. For Hebrew the old language code iw is used. The ISO standard ISO-3166 is used for the country/region codes.

Navigator Service

Key	Meaning	Default value
public.session	Set true to give anonymous users a public session. When true, the remote cache scope for public pages is non-shared (private). If false, remote cache scope is set to shared (public). There are performance implications with the true setting.	false
public.expires	Cache expiration time (in seconds) for caches outside of WebSphere Portal and for unauthenticated pages only. These caches must adhere to the HTTP 1.1 specification (RFC 2616). The public.expires key specifies the time after which HTTP caches should drop the response. This can be further restricted by the remote.cache.expiration key. This value is used as a maximum value for the cache expiration time and as a global default value for unauthenticated pages. If the setting remote.cache.expiration is also set to a value greater than or equal to 0, the smaller one of the two values is used. WebSphere Portal calculates and aggregates the remote cache informatione that is the scope and expiration time, by a number of parameters contributed by themes, pages, and portlets besides the settings described here. Therefore WebSphere Portal can do any of the following internally while processing a request: Reduce the cache lifetime Reduce the cache scope, for example, from public (shared) to private (non-shared) Switch off the overall cachability of pages. Therefore this value might not be static for all responses resulting from requests to unauthenticated pages. The response of WebSphere Portal sets the following header fields: The Expires header with the expiration time added to the system date and time. The Cache-Control : max-age = header with the expiration time as its parameter. The default setting specified in this file is 60 seconds. If no value is specified, WebSphere Portal defaults the value to 60 seconds.	60 (sec)
remote.cache.expiration	Maximum cache lifetime (in seconds) of a page, both public and private. Use this setting to specify a global value for the expiration of pages in remote caches. Setting this value to 0 switches caching off in remote caches. If the legacy setting is not available, this setting is used for authenticated and unauthenticated pages. If the legacy setting is available, then the smaller of the two values is used for unauthenticated pages only. In this case the remote.cache.expiration setting is used for authenticated pages in general. If theme, composition, and portlets contribute remote cache information, then the global settings also contribute to the information. In this case the lowest of the values of all contributors is used, including the global settings. The default setting specified in this file is 60 seconds. If no value is specified, WebSphere Portal defaults the value to zero (0 seconds).	0 (sec)
remoteCacheInfo.response.header.vary	HTTP headers that force a proxy to cache different variants of the same URL. Use this setting to specify a comma separated list of HTTP header fields to which WebSphere Portal should refer in its vary field of the generated HTTP response. This is required to ensure that proxy caches can invalidate entries in their cache if the specified header fields do not match from request to request.	User-Agent
public.cache-control	Value set for the cache-control HTTP header field when the portal generates a response in request for public pages. This header field controls the behavior of all caching mechanisms along the request/response chain.	no-cache
private.cache-control	Value set for the cache-control HTTP header field when the portal generates a response in request for private pages. This header field controls the behavior of all caching mechanisms along the request/response chain.	no-cache

Registry Service

The RegistryService loads and caches a small number of objects which are regularly accessed in the engine. This improves performance, however the trade off is that the cached objects are possibly stale compared to their database counterparts. This applies particularly in a cluster environment. If the age of those objects causes a problem, try reducing the refresh rate for the respective entities.

default.interval = (1800)

The default interval for refreshing a bucket. The amount is specified in seconds, for example default.interval = 1800.

bucket.<bucket-name>.class

The type of class that the bucket with the given name is caching.

bucket.<bucket-name>.reload [optional = true]

Whether or not the bucket with the given name is reloaded in frequent intervals.

bucket.<bucket-name>.interval = (default.interval)

The length of the reload interval for the bucket with the given name. If no value is set, the default.interval setting is used.

bucket.<bucket-name>.sorted [optional = false]

Whether or not the bucket with the given name needs to keep the cached objects in a sorted order. The sorting order is determined by the objects themselves.

The bucket names are described in the following:

theme	Cache the database representation of all themes stored in the database.
skin	Cache the database representation of all skins stored in the database.
language	Cache the database representation of all languages stored in the database.
client	Cache the database representation of all clients stored in the database.
markup	Cache the database representation of all markups stored in the database.

Portlet Container Service

This section lists and describes the PortletContainer service related settings.

legacy.portlet.enable.filtering = (true)

Whether or not to use Portlet Filtering.

The portlet container service also contains the properties for configuring parallel portlet rendering. For details refer to the separate topic about parallel portlet rendering Parallel portlet rendering.

Pipe Pool Service

Pipes are used to buffer content.

For example, for parallel portlet rendering the pipes are used to pass portlet content between threads.

To improve performance, all pipes are held in a pool for reuse. Configuration settings for the pool are located in the PipePoolService.

Variations in the usage of the pipes result in increase or decrease of the pool size. Configure the pool size to be more stable by increasing the strength of the hysteresis function. This smoothens how directly the pool size follows the number of accesses. A second property defines the compacting ratethat is how often the pool size is actually reduced as determined by the hysteresis function.

parallelRenderingPoolHysteresis = (10)

Specify the number of accesses to the pool that determines the strength of the hysteresis function. The default is 10.

parallelRenderingPoolCompactRate = (300)

Specify after how many seconds the pool size is actually reduced. The default is 300 seconds (= 5 minutes).

The pipes are also known as queues. Configure pipemanaged by this pool by setting the following parameter:

parallelRenderingPoolQueueSize = (5120)

Size of the queues in bytes. The default is 5120.

For details refer to the separate topic about parallel portlet rendering Parallel portlet rendering.

Content Access Service

Portlets can access content from remote systems that are located on the other side of a firewall by invoking the Content Access Service. The following settings are used to configure the Content Access Service, but only for those portlets that call this service. Configure these settings at either of the following locations:

• Under the WP PortletServiceRegistryService in the WAS admin console.
• In the property file PortletServiceRegistryService.properties under the items beginning with com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.no.proxy.for =

Specifies host names for which ContentAccessServices does not use a proxy, even if a proxy is configured. Values must be separated by semicolon ( ; ). Wildcards are not supported.

Example: com.ibm.wps.pe.pc.legacy.service...no.proxy.for =localhost;127.0.0.1

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.protocol.handlers =

Assigns additional URL protocol handlers that Java uses to handle connections to various URL protocols. Values must be separated by a vertical bar ( | ). The default is usually sufficient, as it supplies a handler for HTTPs URLs.

Example: com.ibm.wps.pe.pc.legacy.service...ServiceImpl.protocol.handlers = com.ibm.net.ssl.internal.www.protocol

Proxy protocol and port settings:

This section allows us to specify proxy protocol and port settings for different protocols. You must specify for each protocol the name and port number of the proxy servers that we use.

The general format is as follows:

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.http.host = hostname

Specifies an HTTP proxy host for HTTP URLs.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.http.port = port number

Port for the HTTP proxy. If this is not specified, 80 is used as the default value.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.https.host

Specifies an HTTP proxy host for HTTPs URLs. The proxy must support CONNECT requests, otherwise known as 'tunneling' requests.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.https.port

Port for the HTTP proxy. If this is not specified, 80 is used as the default value.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.socks4.host

Specifies a SOCKS V4 proxy host for any URL.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.socks4.port

Port. If this is not specified, 1080 is used as the default value.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.socks5.host

Specifies a SOCKS V5 proxy host for any URL.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.socks5.port

Port. If this is not specified, 1080 is used as the default value.

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.auth.enabled

Specifies if authentication should be tried for proxied connections. This applies to the proxy server, not to the origin server from which the ContentAccessService is fetching. Also, this only applies to HTTP proxy (with settings from proxy.http.* and proxy.https.*) and SOCKS proxy (with settings from proxy.socks4.* and proxy.socks5.*).

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.auth.credentialslot

Specifies if proxy authentication should be used for connections that use a proxy server. Provide the user ID and password in a credential slot of the portal credential vault. You must also specify the name of this slot in the content access service configuration. The credential must have the type UserPasswordPassive. Proxy authentication applies to the proxy server, not to the origin server from which the ContentAccessService is fetching. Also, this only applies to HTTP proxy (with settings from proxy.http.* and proxy.https.*) and SOCKS proxy (with settings from proxy.socks4.* and proxy.socks5.*).

If no proxy host is set, WebSphere Portal tries to load all URLs directly. If no port is set, the default port for HTTP (80) is used. Alternatively, we can socksify the TCP/IP stack of the system.

Examples:

The name of the HTTP proxy host:

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.http.host = host.somewhere.ibm.com

The name of the HTTP proxy port:

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.http.port = 80

The name of the tunneling HTTPs proxy host:

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.https.host = securehost.somewhere.ibm.com

The name of the HTTPs proxy port:

com.ibm.wps.pe.pc.legacy.service.ContentAccessServiceImpl.proxy.https.port = 443

HTTP client service

Several components of the portal need to open HTTP or HTTPs connections to other resources. The HTTP Client Service provides a central point for configuration properties to these outbound connections. We can set global settings for the SSL configuration and proxy server usage.

1. These settings do not currently replace all individual portlet proxy configuration settings. To set the proxy settings for specific portlets, consult the documentation for each portlet for how to modify their specific settings.

2. Some functional components of the portal can overwrite each of the settings if the component configuration differs from the global value. The following describes the global settings only; if a component allows us to set component specific properties, these are described in the respective component documentation.

global.ssl.configuration = (NodeDefaultSSLConfig)

Name of an SSL configuration to be used for secure communication as defined in the WAS security configuration.

global.sso.domain = domain name

Domain that starts with a dot, for example .a.com and denotes the range of hosts to which single-sign on cookies, such as LTPA, are forwarded from a client request. If the property is not set, single sign-on cookies are not forwarded to any remote host.

global.proxy.http.host = host name

Specify a proxy host for HTTP URLs. If no proxy host is set, the portal tries to load all HTTP URLs directly.

global.proxy.http.port = port number

Specify the port for the HTTP proxy. If no value is specified, 80 is used as the default value.

global.proxy.https.host = host name

Specify a proxy host for HTTPs URLs. If no proxy host is set, WebSphere Portal tries to load all HTTPs URLs directly.

global.proxy.https.port = port number

Proxy port for HTTPs URLs. If no value is specified, 443 is used as the default value.

global.proxy.auth.credentialslot = slot name

Set this property if you want proxy authentication to be used for connections that use a proxy server. Provide the user ID and password in a credential slot of the portal credential vault. You then specify the name of this credential slot in this property. The credential must have the type UserPasswordPassive. Proxy authentication applies to the proxy server only, not to the target server of the outbound connection.

global.proxy.excludehost = host name

Specify a particular host for which no proxy connection is used, even if a proxy is configured. We can set this property multiple times. Specify one setting for each hoso that is excluded from proxy connections.

Cache Manager Service

The Cache Manager Service is responsible for managing the different caches used in WebSphere Portal v8.0. The portal provides two different types of caches: shared and non-shared.

Shared caches

The shared caches are cluster aware. This means that deleting an element from the cache on one cluster node results in deleting that element from the corresponding cache instances on all other nodes. This ensures that frequently changing data are kept consistent over the whole cluster installation.

Non-shared caches

The non-shared caches are used for data where cluster awareness is of no concern. This avoids unnecessary network communication overhead.

Plan well ahead and apply special care when modifying these parameters. There are two levels of parameters:

cacheglobal parameters

Default setting which is to be used for all caches unless explicitly overridden by the corresponding cache instance parameter.

cacheinstance.cacheidentifier parameters

They are used to override a global setting, for example the size of the cache, for a specific instance of a cache.

Change some or all of these settings can dramatically improve or impair portal performance. Therefore IBM recommends not to change the shared setting for any cache unless the consequences are absolutely understood and agreed. To determine the optimal values for the size, lifetime, admit-threshold and replacement parameters, monitor the cache parameters during the staging phase of the portal installation. Use the Tivoli Performance viewer that is the WAS PMI client (PMI = Performance Monitoring Interface) to find the optimal settings for your environment.

The parameters for the Cache Manager Service for both shared and non-shared caches are listed in the following:

cacheglobal.enabled = [ true | false ]

cacheinstance.cacheidentifier.enabled = [ true | false ]

Control whether caching is enabled or not. Use this parameter with care !

cacheglobal.size = number

cacheinstance.cacheidentifier.size = number

Number of elements that can be put into the cache before eviction takes place. The eviction uses a "near LRU" algorithm.

cacheglobal.shared = [ true | false ]

cacheinstance.cacheidentifier.shared = [ true | false ]

Whether a cluster-aware cache is to be used or not.

cacheglobal.lifetime = number

cacheinstance.cacheidentifier.lifetime = number

Specify the lifetime of elements in the cache in seconds. When the specified lifetime is up, elements are not discarded from the cache immediately. They are evicted when the next element is inserted. Specifying -1 means an infinite lifetime. In this case no timeout is applied and the cache entry is never evicted.

randomizePercent = number

cacheinstance.cacheidentifier.randomizePercent= number

Randomize cache entry lifetimes to some extent. If all entries in a cache have the same lifetime, this can result in high loads on the database when reloading entries, as large amounts of entries are evicted at the same time.

Specify as a numeric value given in percent.

For example, a value of 25 means that all cache entry lifetimes are up to 25% more or less than the default lifetime (given by the lifetime parameter). No cache entry will have a lifetime less than 50% of the default value, no matter how large we specify the value for this parameter. By default no value is specified. In this case lifetimes are not randomized, and all cache entries have the default lifetime.

If set the default lifetime parameter to infinite by the value -1 , the lifetime randomization setting is not applied, even if we specify a value for the randomizePercent parameter.

We can view the actual randomized lifetime of a cache entry by enabling tracing for class com.ibm.wps.services.cache.AbstractCache.

We can set the following additional parameters for non-shared caches. (Setting them for shared caches does no harm, they will be ignored.)

cacheglobal.replacement= [aggressive | moderate | conservative]

cacheinstance.cacheidentifier.replacement= [aggressive | moderate | conservative]

Controls the eviction algorithm behavior.

cacheglobal.admin-threshold = number

cacheinstance.cacheidentifier.admin-threshold = number

Admittance threshold. Use this parameter to keep unwanted entries from the cache. An entry is cached only if it is put into the cache as often as specified by the value for this parameter. If you want each entry to be cached, set this parameter to zero ( 0 ).

The cache identifiers are described in the following:

com.ibm.wps.pe.deployedresources

Use this cache instance to cache servlet configuration information and the database representation of all web modules stored in the database.

com.ibm.wps.pe.portletregistry

Use this cache instance to cache the database representation of all portlets stored in the database.

com.ibm.wps.pe.portletdefinition

Use this cache instance to cache the database representation of all portlet applications stored in the database.

State Manager Service

Manage the navigational state of the portal.

preprocessors = (com.ibm.wps.state.preprocessors.selection.StandardPortalSelectionImpl)

List of one or more preprocessors used.

Do not replace the following default values with your values. The default values are mandatary, cannot be replaced it by a different value, and must be processed in the following order...

preprocessors =
com.ibm.wps.state.preprocessors.urlmapping.URLMappingPreProcessor,
com.ibm.wps.resolver.friendly.preprocessors.FriendlyPreProcessor,
com.ibm.wps.resolver.portal.ResolvedPreprocessor,
com.ibm.wps.state.preprocessors.selection.StandardPortalSelectionImpl,
com.ibm.wps.state.preprocessors.selection.FragmentSelectionImpl,
com.ibm.wps.state.preprocessors.selection.ResourceSelectionImpl,
com.ibm.wps.state.preprocessors.eclipse.ExtensionPreProcessor,
com.ibm.wps.state.preprocessors.portlet.RequestParameterMerger

To add our own custom preprocessors...

1. Enter the default values in the above sequence
2. Append your custom preprocessors to the end of the list

The required syntax is (classname (, classname) * ) 1 .

Of the default values given, the following two selection preprocessors are alternative options. They process the page selected by the user. All other preprocessors are for portal internal use only and must not be changed.

Both of the following selection preprocessors are mutually exclusive. This means that they cannot be used in combination with each other.

com.ibm.wps.state.preprocessors.selection.StandardPortalSelectionImpl

Implement the standard portal selection behavior which prefers displaying pages over displaying labels. This means that if a user selects a label, the portal displays a page under that label, rather than the label itself with the message sayinthat there is no content available. (In this case the page displayed is the last page that the user selected under this label, or is that page is not available, the first available page under the label.) This value is the default.

com.ibm.wps.state.preprocessors.selection.SimpleSelectionImpl

Implement a simple selection strategy; it always displays the element selected by the user, regardless of whether the user selects a label or a page. If the user selects a label, the portal displaythat label with the message that there is no content available. We can replace this value for the previously listed default value.

keymanager.lru.size = ( integer )

Specify the history expiration limit of portal pages visited by users. The number that we specify defines the minimum number of different pages selected by the user after which the portal can discard the render parameters of a page. (The decision whether the render parameters of the page are actually discarded depends on the expiration policy of the internal cachthat stores the render parameters of those pages.) If the user returns to a page after visiting the specified number of other pages and if the render parameters on that page have expired, the portal displaythat page in its default state.

We can specify by which circumstances the render parameters of a page are stored or discarded:

1	Each time that the user selects a different page, the render parameters of the portlets on the previously selected page can be discarded.
A positive integer	Specify the required number of pages. The render parameters of a given page can be discarded after the user has visites that number of other pages.
0	Render parameters are always stored in the portal session memory and never discarded. Do not specify a value less than zero ( 0 ). Negative values are considered to be not valid.

URL normalization for search of portal pages by external search engines

The following parameter is used to configure the normalization of the URL of the portal. URL normalization is required to enable external search engines to crawl the content of the portal. For this purpose URL normalization performs the following:

• It removes all elements from a portal page URL used for portal internal purposes.

  For example, these are actions, which are coded into the URL and change the portal state.

• It reduces the portal page URL to those elements required for a crawler to read the URL and crawl the portal page.

com.ibm.wps.state.outputmediators.OutputMediatorFactory.normalization_xsl_file = ( UrlNormalization_MIN.xsl )

XSL stylesheet file that defines the transformation that should be used in order to normalize the portal URL. (This parameter needs to be set all on one line and concatenated.Default is UrlNormalization_MIN.xsl. The following two files are available to allow for a minimum or maximum transformation:

UrlNormalization_MIN.xsl

This XSL stylesheet contains the states for portlet-mode, window-state, renderparameters, selection, and locale in the normalized URL. This transformation represents the minimum set of states that have to be defined in the URL. All other states are removed from the URL. Default.

UrlNormalization_MAX.xsl

This XSL stylesheet contains the states for portlet-mode, window-state, renderparameters, selection, solo, locale, and screen-template. This maximum transformation represents the set of states that can be defined in a normalized URL for a web crawler. All other states are removed from the URL.

The meaning of the different states listed for the minimum and maximum normalization style sheets is as follows:

portlet-mode

Portlet modes allow a portlet to display a different user interface, depending on the task that the user performs with the portlet. A portlet has five modes of display: view, help, edit, edit_defaults, config.

window-state

Portlet states allow users to change how the portlet window is displayed within the portal. Users can choose from three different states: maximized, minimized, normal.

renderparameters

Parameters set to render a portal page.

selection

Selected portal page.

solo

A portlet can also be displayed in solo state. Solo state hides the portal theme elements, such as a banner, page navigation, or tool bar.

locale

Language in which the page is presented.

screen-template

Screen used on the portal page.

theme-template

Theme used on the portal page.

We can also set up our own URL normalization. To implement a URL normalization that is different than those provided by the two XSL stylesheets that come with the portal, create our own XSL stylesheet and set it as the value for the URL normalization parameter:

1. Here is an example for creating our own XSL stylesheet:

   <?xml version="1.0" encoding="UTF-8"?>
   
   <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
   
        <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>
   
        <xsl:template match="text()"> </xsl:template>
   
        <!-- Traverse through the tree starting at the root element -->
        <xsl:template match="root">
   
             <xsl:copy>
                  <xsl:copy-of select="@*"/>
   
                  <!-- Search for the state node with the attribute type = navigational -->
                  <xsl:apply-templates select="state[@type='navigational']"/>
   
             </xsl:copy>
        </xsl:template>
   
        <!-- Selection of all states which should stay coded in the URL -->
        <!-- Allowed States: portlet-mode, window-state, renderparameters (param, value, text),      
                selection, solo, locale , screen-template -->
   
        <xsl:template match="state">
             <xsl:copy>
                  <xsl:copy-of select="@*"/>
                  <xsl:apply-templates select=" . . . "/>
                  . . .
             </xsl:copy>
        </xsl:template>
        ... 
   </xsl:stylesheet>
   

2. Set the name of the new XSL stylesheet as the value for the URL normalization parameter:
   com.ibm.wps.state.outputmediators.OutputMediatorFactory.normalization_xsl_file = UrlNormalization_Your_Own_Style_Sheet_File_Name.xsl

Administrator Unique Names Mapping Service

Administration portlets and themes create URL links to other administration portlets and pages. If these links were hardcoded, they would no longer be usable if you changed the unique names of these pages. Therefore a service for obtaining those unique names is provided in the AdminUniqueNamesMappingService. This file contains key-value pairs mapping internal keys to the actual unique names which are assigned to the referenced pages.

If you change the unique name of a portal administration page using the Manage Unique Names portlet, you also need to updata that name in the properties. This is required so that the theme and administration portlets still function. The available mappings are defined as follows:

     # ----------------------------------------------- #
     # Portal administration page unique names mapping #
     # ----------------------------------------------- #
     # Internal key           unique name              #
     # ----------------------------------------------- #
     #
     #CONTENT_LAYOUT          = ibm.portal.Content
     #APPEARANCES             = ibm.portal.Appearance
     #MANAGE_PAGES            = ibm.portal.Manage Pages      #UNIQUE_NAMES            = ibm.portal.Custom Unique Names
     #ASSIGN_ROLES            = ibm.portal.Resource Permissions      #PROPERTIES_PORTLET      = ibm.portal.Page Properties       
     #MY_FAVORITES            = wps.My Favorites       
     #ORGANIZE_FAVORITES      = wps.Organize Favorites       
     #SET_PERMISSIONS         = ibm.portal.Locks         
     #MANAGE_LOG              = ibm.portal.Enable Tracing         
     #MY_PORTAL               = ibm.portal.Home
     #ADMINISTRATION          = ibm.portal.Administration
     #PAGE_CUSTOMIZER         = ibm.portal.Page Customizer       
     #PORTLET_MANAGER         = ibm.portal.Web Modules       
     #MANAGE_MY_PORTLETS      = ibm.portal.Portlets
     #MANAGE_MY_PORTLET_APPS  = ibm.portal.Applications
     #MANAGE_WEBSERVICES      = ibm.portal.Web Services      
     #IMPORTXML               = ibm.portal.Import XML      
     #SEARCH_CENTER           = ibm.portal.Search Center
     #VIRTUAL_PORTAL          = ibm.portal.Virtual Portal       
     #LOGIN                   = wps.Login       
     #SELFCARE                = wps.Selfcare      
     #APP_PROPERTIES          = ibm.portal.Template and Application Properties
     #APP_PARAMETER           = ibm.portal.Template Parameters
     #APP_ROLES               = ibm.portal.Application Roles
     #APP_TEMPLATES           = ibm.portal.Templates
     #APP_MEMBERSHIP          = ibm.portal.Application Membership
     #APP_CATALOG             = ibm.portal.Catalog
     #APP_LAYOUT              = ibm.portal.Template and Application Layout
     #PZN_PICKER_PAGE         = ibm.portal.Personalization.Picker  

Examples of where these unique names are used are: Theme links for 'New Page', 'Edit Page', and 'Assign Permissions'.

Portal Security Services

The following sections describe the different configuration services provided for Portal Access Control and authentication.

Access Control Data Management Service

The Access Control Data Management Service contains the configuration settings for Portal Access Control. The domain short names have to correspond to the domain namedefined for the Data Store Service.

The following set of properties is mandatary for each database domain containing resources that need to be protected by Portal Access Control:

accessControlDataManagement.domain.domain_short_name.adminuser = full DN of the administrative user for this domain

Administrative user. As the value specify a full DN that corresponds to a valid entry in the associated user repository. Mandatory.

accessControlDataManagement.domain.domain_short_name.admingroup = full DN of the administrative group for this domain

Define the administrative group. As the value specify a full DN that corresponds to a valid entry in the associated user repository. Mandatory.

accessControlDataManagement.domain.domain_short_name.virtualresource = name of the virtual root resource of this domain

Virtual root resource. The value is the name of a virtual resource that actually exists in the domain and represents the root of the protected resource hierarchy in this domain. This property is meant for internal use only; do not change its value.

The administrative user and group are granted administrator roles on the full hierarchy of protected resources starting from the virtual root resource of the domain defined with the third setting. These roles are granted in addition to the portal roles of the user or group and therefore not displayed in the Access Control portlets. A valid set of values to these properties could for example look like the following:

accessControlDataManagement.domain.rel.adminuser=uid=Bob,o=Your Company
accessControlDataManagement.domain.rel.admingroup=cn=Admins,o=Your Company
accessControlDataManagement.domain.rel.virtualresource=PORTAL
accessControlDataManagement.domain.cust.adminuser=uid=Bob,o=Your Company
accessControlDataManagement.domain.cust.admingroup=cn=Admins,o=Your Company
accessControlDataManagement.domain.cust.virtualresource=PORTAL
accessControlDataManagement.domain.comm.adminuser=uid=Bob,o=Your Company
accessControlDataManagement.domain.comm.admingroup=cn=Admins,o=Your Company
accessControlDataManagement.domain.comm.virtualresource=PORTAL
accessControlDataManagement.domain.jcr.adminuser=uid=Bob,o=Your Company
accessControlDataManagement.domain.jcr.admingroup=cn=Admins,o=Your Company
accessControlDataManagement.domain.jcr.virtualresource=PORTAL

The following additional properties of the Access Control Data Management Service are optional:

accessControlDataManagement.enableNestedGroups = (true)

Whether the group membership of groups is exploited at all by the Portal Access Control component. Supported values are: true and false. The default is true.

accessControlDataManagement.enableTargetResourceGroupInheritance = (false)

Whether the group membership of groups is exploited by the Portal Access Control component for permission enforcement on users or groups. If we specify false, we can only get permissions on user groups via roles on the groups and on users via roles on the direct groups of which the user is a member. Supported values are: true and false. The default is false.

accessControlDataManagement.reorderRoleNames = (false)

Whether the role name contains the unique name or the title of the resource on which the role was created. Specify true when we use an external authorization provider, such as IBM Tivoli Access Manager, as this makes it easier to find the role names. Supported values are: true and false. The default is false.

accessControlDataManagement.externalizeAllRoles = (false)

This property is only applicable for externalization of resources through the user interface. the default value is false. If the property is set to false and a resource is externalized, then the following things happen:

1. The resource and all descendants of this resource that are not private and not externalized so far are externalized.

2. The roles and role mappings that exist on all resources that were identified in the previous step 1 are written into the external security manager object space.

3. For the root resource that was chosen to be externalized, a role mapping for the Administrator role for the executing user is created in the external security manager object space.

If set to true, then in addition to the previous three steps, roles are created in the external security manager object space for all action sets for the root resource that have not already been created in steps 2 and 3.

accessControlDataManagement.createAdminMappingXMLAccess = (true)

This property is only applicable for externalization of resources through xmlaccess.sh. If the property is set to false and a resource is externalized the following happens:

1. The resource will be externalized.

2. The roles and role mappings on the resource are written into the external security manager object space.

If the property is set to true, then in addition to the two previous steps, a role mapping for the Administrator role is created for the executing user in the external security manager object space.

Connect to the user repository during startup: Change the following two settings if you want the portal to wait and retry connecting to the underlying user repository, if it is not available during portal startup. This might be necessary in scenarios where the user repository is only available in a certain time frame after the initialization of the portal startup. As the domain administrative users and groups have to be resolved, the portal cannot start without connecting to the user repository. The service startup performs the specified number of attempts to connect to the user repository, each time waiting for the specified time interval before starting the next attempt. If none of the attempts is successful, the service startup quits with an exception.

accessControlDataManagement.ldapFailoverNumberOfAttempts = ( 1 )

Specify how many times the service startup attempts to connect to the user repository. The default is 1 (once).

accessControlDataManagement.ldapFailoverInterval = ( 60 )

How long the service startup waits until it retries to connect to the user repository. This value is specified in seconds. The default is 60 seconds.

Authentication Service

The Authentication Service contains the configuration settings for portal authentication, which is generally performed with a user ID and password.

authentication.execute.portal.jaas.login = (false)

Enable or disable the execution of the portal JAAS login:

false	Disable the execution of the portal JAAS login. Default. Disable this property only if you have no JAAS Login Modules defined for the portal application login configuration.
true	Enable the execution of the portal JAAS login. We can enable this property if you have JAAS Login Modules defined for the portal application login configuration.

This is related to performance.

Use the following properties to define the custom filters in the various authentication filter chains in the portal. Each of these properties takes a comma-separated list of the fully qualified class names of the custom filter implementations. For concept information about authentication filters refer to Configure authentication filters.

login.explicit.filterchain = <none>

Custom filters for the filter chain that is triggered for an explicit login by user name and password. The classes listed in this property must implement the interface...

com.ibm.portal.auth.ExplicitLoginFilter.

login.implicit.filterchain = <none>

Custom filters for the filter chain that is triggered for an implicit loginthat is if the user is already authenticated to WAS but has no portal session yet. The classes listed in this property must implement the interface...

com.ibm.portal.auth.ImplicitLoginFilter.

logout.explicit.filterchain = <none>

Custom filters for the filter chain that is triggered for an explicit logout. The classes listed in this property must implement the interface...

com.ibm.portal.auth.ExplicitLogoutFilter.

logout.implicit.filterchain = <none>

Custom filters for the filter chain that is triggered for an implicit logouto that is if the user got a session timeout. The classes listed in this property must implement the interface...

com.ibm.portal.auth.ImplicitLogoutFilter.

sessiontimeout.filterchain = <none>

Custom filters for the filter chain that is triggered directly after an idle timeout of the session occurred. The classes listed in this property must implement the interface...

com.ibm.portal.auth.SessionTimeoutFilter.

sessionvalidation.filterchain = <none>

Custom filters for the filter chain that is triggered for every request before the action handling and rendering is processed. The classes listed in this property must implement the interface...

com.ibm.portal.auth.SessionValidationFilter.

filterchain.properties = <none>

Use an arbitrary set of properties according to the previous pattern to specify properties for any of the custom filters. The property value is then available to the specified filter class in the SecurityFilterConfig object passed to its init method.

Credential Vault Service

We can use the Vault Service configuration to specify Vault Adapter implementations used by the Credential Vault Service to store credential secrets. By default two Vault Adapter implementations are available: default-release and default-customization. Those Vault Adapters store credential secrets in the portal server data store. For each implementation, define a unique string type, a class name, and a domain. Optionally, we can specify a configuration file, managing resources, and a read only flag.

We can define the following properties for each Vault Adapter Implementation Type. To differentiate the settings for each type, the properties are in the format vault.type.key . Replace type by the Vault Adapter Implementation Type, and replace key by the key. The following list shows the keys that we can append:

class

Specify the Vault Adapter Implementation Class Name, but without the .class extension. This parameter is mandatary.

config

Specify the path of a configuration file that your adapter may need . Optional.

domain = (rel)

Specify the database domain where the segment and slot configuration data is stored. In the special case of the DefaultVault, this also specifies where the actual credentials are stored. This parameter is mandatary. Possible values are all available database domains as specified in the DataStore ServiceDefault is rel; this specifies the release domain.

manageresources = (false)

Whether the VaultAdapter should create and delete resources. Optional.

If true, the adapter must have internal support to manage resources. If you omit this parameter, it will default to false .

readonly = (true)

Whether the underlying vault for this adapter should be considered read only. Optional.

If true, the manageresources parameter is ignored. If you omit this parameter, it will default to true .

Additionally, we can set the following configuration values:

systemcred.dn

Specifies the Distinguished name (DN) of the vault administrative user. All system credentials are stored under the user's account. This key is set to the portal administrative user by default.

export.userDN

This is the user DN value of the XML Access user allowed to import/export secrets via the XML Configuration interface. This is usually the same user DN string as defined in the same configuration file under the key systemcred.dn. This user needs authority to use the XML Configuration interface and has to be used during the import/export. Otherwise an import/export of credential secrets is not possible.

export.cipher

The cipher used during export for encryption. This cipher has to be available via Java JCE in the WebSphere Portal systemDefault is AES.

export.keyLength

Number of bits used as key length for the cipherDefault is 128.

export.enforceSSL

This field controls if credential import/export must be done via secured HTTP connection (value=true) or if it shall be allowed to import/export credentials also via an unsecured HTTP connection (value=false). The default value is true.

External Access Control Service

The External Access Control Service is responsible for collecting any authorization data from external security managers, such as Tivoli Access Manager. These are the parameters set by the configuration of external security managers procedures.

The following configuration parameters can be modified in External Access Control Service. However, plan well ahead and apply special care when modifying these parameters.

General properties of the External Access Control Service:

These properties are used for general purposes of the External Access Control Service.

externalaccesscontrol.ready = (false)

This flag indicates whether the configuration in this file has been configured to connect to the External Security Manager. The default is false.

externalaccesscontrol.server = WebSphere_Portal

externalaccesscontrol.application = WPS

externalaccesscontrol.cell = cell

Role name representations are qualified with a context built by these three parameters.

For example, the Administrator@External_Access_Control/xxx/xxx is represented as follows:

Tivoli Access Manager: Protected object space entry

/WPSv6/Administrator@External_Access_Control/xxx/xxx/WPS/WebSphere_Portal/cell

Access Manager configuration:

Configure the connection between WebSphere Portal and the Tivoli Access Manager.

externalaccesscontrol.pdroot = (/WPSv6)

After completing the AMJRTE and SrvSslCfg configuration tasks, the following directives are required to allow WebSphere Portal to use TAM as an External Security Manager. Provide the root of your Protected Object Space for Portal Server entries.

externalaccesscontrol.pduser = sec_master

externalaccesscontrol.pdpw = passw0rd

Provide an admin user ID and password with adequate rights in Tivoli to create, delete, modify the objects in the Protected Object Space. We can use the WAS PropFilePasswordEncoder utility to mask the password. Using PropFilePasswordEncoder will remove any comments and uncommented properties. Therefore create a back up copy of this file for future reference.

WAS_HOME/bin/PropFilePasswordEncoder WP_PROFILE/PortalServer/confExternalAccessControlService.properties externalaccesscontrol.pdpw

This command should be typed on one line in a command line window.

externalaccesscontrol.pdurl=file:///${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties

Specify the URL location of the Access Manager properties file for AMJRTE. This URL must be in the format file:///directory_path_to_properties_file . HTTP URLs are not supported.

externalaccesscontrol.createAcl = (true)

Optional. Whether Access Control Lists (ACLs) are created in Access Manager for roles stored externally. The default is true. If this parameter is set to false, the Access Manager administrator will be responsible for all ACL linkages between Tivoli Access Manager and WebSphere Portal. Possible values for this parameter are:

true

A Tivoli Access Manager ACL will be created for every WebSphere Portal resource. Default.

false

No ACLs will be created for portal objects.

externalaccesscontrol.pdactiongroup = ([WPS])

externalaccesscontrol.pdAction = (m)

These parameters are optional. Specify the action group and the customized actions to map to portal role membership. If these items do not exist, they will be created at startup. The values previously given are the default values.

Auditing Service

The auditing service allows us to log has a set of events into a separate audit log file. All events are organized in groups.

For example, the logging events User created and User deleted are grouped together and can therefore only be switched on or off together. The section Available events lists and describes the events available for auditing.

The audit logging output is written to the audit log file. No other log messages are written to this file. For an explanation of the contents of the audit log file refer to the section Audit log file.

Auditing service configuration:

By default the audit logging service is disabled. This means that the service is loaded, but does not register any event listeners for audit logging. The auditing service configuration is controlled by the AuditService.

audit.service.enable = (false)

This is the global switch. Use it to switch the service on (true) or off (false). The default setting is false.

The actual log file access of the service can be configured using the following two properties:

audit.logging.class = com.ibm.wps.services.audit.logging.impl.AuditLoggingImpl

This property points to the logging class which writes the actual log statements to the log file. By default, this is set to the default implementation. Under normal circumstances there is no reason to replace it with another class.

audit.logFileName = log/audit_$create_time.log

Define the location and the name of the audit log file. The placeholder $create_time is replaced by a timestamp during filename generation. A second placeholder $APPSERVER_NAME is used for a vertical cluster configurations to make the log file name unique. Example:

audit.logFileName = log/audit_$APPSERVER_NAME_$CREATE_TIME.log

The auditing service allows us to have the transaction ID written to the audit log file. The project ID can also be written to the audit log file. As these IDs can be very long and might not be required in every environment, we can disable the inclusion of the IDs.

audit.showTransactionID.enable = (true)

Disable transaction IDs in the audit log. To do this, set to false. Default is true.

audit.projects.enable = (true)

Disable project IDs in the audit log. To do this, set to false. Default is true.

You determine the events to be logged by enabling the appropriate properties as required. Set the events to enable to the value true. The following groups of events are defined:

  audit.groupEvents.enable
  audit.userEvents.enable
  audit.portletEvents.enable
  audit.roleEvents.enable
  audit.roleBlockEvents.enable
  audit.ownerEvents.enable
  audit.resourceEvents.enable
  audit.externalizationEvents.enable
  audit.userInGroupEvents.enable
  audit.webModuleEvents.enable
  audit.applicationRoleEvents.enable
  audit.principalToApplicationRoleMappingEvents.enable
  audit.roleToApplicationRoleMappingEvents.enable
  audit.domainAdminDataEvents.enable
  audit.designerDeployServiceEvents.enable
  audit.impersonationEvents.enable  

The default value for all of these settings is false. That means that no events will be logged by default, even if you have switched the service on by setting the property audit.service.enable to true. For more details about which events are included in each group refer to Available events.

To enable one or more groups of events, set...

audit.eventGroup.enable = true

Audit log file:

All log messages start with a timestamp, followed by the optional transaction ID, the message code and the event message. Each event message contains the following:

• The user ID of the user who has performed the action which triggered the audit event

• Additional information about the event itself.

Events for actions that run in a transaction are written to the log file when the transaction is committed. If the transaction is rolled back, no event messages are written to the log file.

Events for actions that do not run in a transaction are written to the log immediately. In such cases it is not guarantees that the related action was completed successfully.

Available events:

This section lists the events that we can log using the auditing service. They are listed by the groups in which they are available. If you enable one group, all events is that group are logged.

Audit logging group	Audit logging event	Meaning of the event
audit.groupEvents	Group created event	A new user group has been created via portal UIs.
audit.groupEvents	Group modified event	A user group has been modified via portal UIs.
audit.groupEvents	Group deleted event	A user group has been deleted via portal UIs.
audit.groupEvents	User created event	A new user has been created via portal UIs.
audit.groupEvents	User modified event	A user has been modified via portal UIs.
audit.groupEvents	User deleted event	A user has been deleted via portal UIs.
audit.portletEvents	Portlet Application created event	A new web module or portlet application has been created via portal UIs.
audit.portletEvents	Portlet Application modified event	A web module or portlet application has been modified via portal UIs.
audit.portletEvents	Portlet Application deleted event	A web module or portlet application has been deleted via portal UIs.
audit.roleEvents	Role assigned event	A portal role has been assigned to a user. The user has been given the specified type of access permission on all resources that are affected by this role. For example, this can be EDITOR on Page1.
audit.roleEvents	Role unassigned event	A portal role has been unassigned from a user. The user no longer has the specified access rights on the resources that are affected by this role. For example, the user is no longer EDITOR on Page1.
audit.roleBlockEvents	Role block modified event	The portal role block information of a resource has been changed. The event message contains a list of blocked and non-blocked roles on the given resource. As roles can either be inherited or propagated, there are two separate lists for inheriting roles and propagating roles. If only propagating role blocks have been changed, the list for inheriting roles is empty and vice versa.
audit.ownerEvents	Resource owner modified event	The owner of a resource has been changed.
audit.resourceEvent	Resource created event	A new resource has been registered. This event is triggered when the resource is registered in Portal Access Control.
audit.resourceEvents	Resource modified event	A registered resource has been modified.
audit.resourceEvents	Resource deleted event	A registered resource is no longer registered in Portal Access Control. This usually happens when a resource is deleted.
audit.externalizationEvents	Resource externalized event	A resource has been externalized. This means that access permissions to this resource are no longer controlled by Portal Access Control, but by an external Access Manager. For example, this can be Tivoli Access Manager.
audit.externalizationEvents	Resource internalized event	A resource has been internalized. It is now controlled by Portal Access Control and no longer by an external Access Manager.
audit.userInGroupEvents	User added to group event	A user has been added to a group. The user is now a member of this group and therefore inherits access rights from the group.
audit.userInGroupEvents	User removed from group event	A user has been removed from a group. The user is no longer a member on that group and does no longer have the inherited access rights.
audit.webModuleEvents	Web Module installed event	A new web module has been installed or deployed.
audit.webModuleEvents	Web Module uninstalled event	An installed web module has been uninstalled.
audit.applicationRoleEvents	Application role created event	An application role has been created.
audit.applicationRoleEvents	Application role deleted event	An application role has been deleted.
audit.principalToApplicationRoleMappingEvent	Application role assigned event	An application role has been assigned to a user. The user has been given the access permissions contained in all the roles that are aggregated in this application role.
audit.principalToApplicationRoleMappingEvents	Application role unassigned event	An application role has been unassigned from a user. The user no longer has the access permissions contained in all the roles that are aggregated in this application role.
audit.roleToApplicationRoleMappingEvents	Role added to application role event	A portal role has been added to an application role. All permissions contained in the portal role are added to the application role. Effective immediately, these added permissions are given to all users or groups to whom the application role is currently assigned.
audit.roleToApplicationRoleMappingEvents	Role removed from application role event	A portal role has been removed from an application role. The users who had this application role no longer have the access permissione that are contained by this role.
audit.domainAdminDataEvents.enable	Domain administration data initialized event	The administrative data for a domain, such as administrative user, administrative group, and virtual root resource, has been initialized during the startup of the portal. For the lifetime of the current portal process, this user and group have administrative permissions on the domain resource hierarchy, starting from the virtual root resource. For details about this refer to the Access Control Data Management Service. This event is always thrown for each defined domain during server startup. As this is done by the system, no performing user will be logged.
audit.designerDeployServiceEvents.enable	Component installed event	A portlet application has been created using IBM Lotus Component Designer.
audit.designerDeployServiceEvents.enable	Component modified event	A portlet application created using IBM Lotus Component Designer has been modified.
audit.designerDeployServiceEvents.enable	Component uninstalled event	A portlet application created using IBM Lotus Component Designer has been deleted.
audit.impersonationEvents	Impersonation started event	A user started impersonation with another user.
audit.impersonationEvents	Impersonation ended event	A user ended impersonation with another user.
audit.impersonationEvents	Impersonation attempted with no permission event	A user tried to impersonate another user but has no permission.

Puma Store and Validation services

The following sections list and describe the configuration services for Portal User Management (PUMA): the Puma Store Service and the Puma Validation Service.

Puma Store Service

The Puma Store Service contains the configuration settings for Portal User Management.

The following properties configure both the Portal User Management and the PUMA SPI:

store.puma_default.user.fbadefault.filter =

Default search attribute for users. Usually the same as the Relative Distinguished Name (RDN) attribute of the LDAP. Depending on the environment, it might be a different attribute. The value should correspond to the value of one of the following parameters in wkplc.properties, depending on the security configuration:

• federated.ldap.loginProperties
• standalone.ldap.loginProperties

store.puma_default.group.fbadefault.filter =

Default search attribute for groups. Usually the same as the RDN attribute of the LDAP. Depending on the environment, it might be a different attribute. The value should correspond to the value of one of the following parameters in wkplc.properties, depending on the security configuration:

• federated.ldap.loginProperties
• standalone.ldap.loginProperties

store.puma_default.user.base.attributes =

Attribute subsets that portal loads during direct user lookups, for example at Login. Attributes that are not defined in this list are loaded by a separate request to the backend user store.

store.puma_default.user.minimum.attributes =

Attribute subsets that portal loads during attribute searches for users. Attributes that are not defined in this list are loaded by a separate request to the backend user store.

store.puma_default.group.minimum.attributes =

Attribute subsets that portal loads during attribute searches for groups. Attributes that are not defined in this list are loaded by a separate request to the backend user store.

store.puma_default.userManagement.cacheMode = (true)

Defines whether Puma uses a cache or not. The default for this property is true.

store.puma_default.logDuplicateKeyExceptions = (true)

Whether the DataStore component writes DuplicateKeyException error messages out to the portal log or not. This does not influence the error handling: With either setting, the exceptions are handled without an error to the portal system.

true

Default. If set to true or if the property is not set at all, the exception error messages are written to the log. The exceptions are handled without error to the portal.

false

If false, the error messages are not written out to the log. The exceptions are handled without error to the portal.

The following properties configure only the Portal User Management, but not the PUMA SPI:

store.puma_default.puma.commonname = ( {0} {1} )

The Registration / Edit My Profile portlet can generate the common name (CN) of a user automatically. Define how the CN is generated. We can define dynamic and static parts. Dynamic parts are added using {X}, where X stands as a reference number to the puma.commonname.that defines the attribute to place here. Dynamic parts can only be user attributes available and valid. The default is {0} {1}.

store.puma_default.puma.commonname.parts =

Number of dynamic parts in the common name.

store.puma_default.puma.commonname.X =

The user attribute for dynamic part X. X must be between 0 and puma.commonname.parts -1. The default is puma.commonname.0 = givenname and puma.commonname.1 = sn.

Puma Validation Service

The PUMA Validation Service contains the configuration settings for the Validation component of PUMA.

Properties for user validation:

user.YOURATTRIBUTE.max = (60)

Maximum number of characters allowed for the defined YOURATTRIBUTE. The default is 60.

user.YOURATTRIBUTE.min = (1)

Minimum number of characters allowed for the defined YOURATTRIBUTE. The default is 1.

user.YOURATTRIBUTE.charset = (ascii)

Character set against which characters are validated. Supported values are ascii and unicode. The default is ascii.

user.YOURATTRIBUTE.extra_chars = ( -._ )

Defines extra special characters which are not in the supported character set, but should be treated as valid. By default, the dash, period, and underscore are valid: -._

1. The YOURATTRIBUTE portion of the property needs to be spelt in uppercase.
2. The sets of attributes listed in the following sections follow the same pattern as the one previously.

Settings for the attribute user.fbadefault.filter defined in the Puma Store Service:

user.UNIQUEID = Value of the user.fbadefault.filter attribute

user.UNIQUEID.min = 1

user.UNIQUEID.max = 60

user.UNIQUEID.charset = ascii

user.UNIQUEID.extra_chars = -._

Properties for group validation:

group.RDN=

For this property specify the value of the group.fbadefault.filter attribute defined in the Puma Store Service.

group.extra = -,_

group.RDN.min = 1

group.RDN.max = 200

Properties for password validation:

password.min_characters = 5

password.max_characters = 60

password.charset = ascii

password.extra_chars = -._

xmlaccess.sh

• CP Configuration Service for tagging and rating
• Live Object Service
• Common Component Service
• Project Identification Service
• Model WebDAV Service
• Virtual Portal Configuration Service

Parent: Set service configuration properties
Related:
Language support
Related: Overview of configuration services
Web Content Manager configuration services
User IDs and passwords